300 likes | 624 Views
Cryptographic Protocol Analysis. Jonathan Millen SRI International. Cryptographic Protocols in Use. Cryptographic protocol: an exchange of messages over an insecure communication medium, using cryptographic transformations to ensure authentication and secrecy of data and keying material.
E N D
Cryptographic Protocol Analysis Jonathan Millen SRI International
Cryptographic Protocols in Use • Cryptographic protocol: an exchange of messages over an insecure communication medium, using cryptographic transformations to ensure authentication and secrecy of data and keying material. • Applications: military communications, business communications, electronic commerce, privacy • Examples: • Kerberos: MIT protocol for unitary login to network services • SSL (Secure Socket Layer, used in Web browsers), TLS • IPSec: standard suite of Internet protocols due to the IETF • ISAKMP, IKE, JFK, ... • Cybercash (electronic commerce) • EKE, SRP (password -based authentication) • PGP (Pretty Good Privacy)
The Security Threat:Active Attacker (Dolev - Yao model) Attacker can: -intercept all messages -modify addresses and data Attacker cannot: -encrypt or decrypt without the key (ideal encryption)
A Simple Example • The Needham-Schroeder public-key handshake • (R. M. Needham and M. D. Schroeder, “Using Encryption for Authentication in Large Networks of Computers,” CACM, Dec., 1978) • A B: {A, Na}pk(B) • B A: {Na, Nb}pk(A) • A B: {Nb}pk(B) • This is an “Alice-and-Bob” protocol specification • Na and Nb are nonces (used once) • pk(A) is the public key of A • A and B authenticate each other, Na and Nb are secret • The protocol is vulnerable...
The Attack A malicious party M can forge addresses, deviate from protocol A (normal) M (false) B (thinks he’s talking to A, Nb is compromised) {A,Na}pk(M) {A,Na}pk(B) {Na,Nb}pk(A) {Na,Nb}pk(A) {Nb}pk(M) {Nb}pk(B) Lowe, “Breaking and Fixing the Needham-Schroeder Public Key Protocol Using FDR,” Proc. TACAS 1996, LNCS 1055
What Makes Protocol Analysis Hard? The attacker. Unbounded number of concurrent sessions. • Recursive data types. • {a,b,c, ... } = {a, {b, {c, ... }...} • {...{{{a}k1}k2}k3 ... • Infinite data types (nonces) • n1, n2, n3, ...
Crypto Protocol Analysis Crypto Protocol Analysis Formal Models Computational Models Dolev-Yao (ideal encryption) Probabilistic poly-time Random oracle (bit leakage) Belief Logics Model Checking Inductive Proofs
Belief Logics • Origin: Burrows, Abadi, and Needham (BAN) Logic (1990) • Modal logic of belief (“belief” as local knowledge) • Special constructs and inference rules • e.g., P sees X (P has received X in a message) • Protocol messages are “idealized” into logical statements • Objective is to prove that both parties share common beliefs • Example inference rule: • Implicit assumption that secrets are protected! • Good for authentication proofs, but not confidentiality P believes fresh(X), P believes Q said X P believes Q believes X
Model Checking Tools • State-space search for reachability of insecure states • History: back to 1984, Interrogator program in Prolog • Meadows’ NRL Protocol Analyzer (NPA), also Prolog • Early Prolog programs were interactive • Song's Athena is recent, automatic • General-purpose model-checkers applied • Searched automatically given initial conditions, bounds • Roscoe and Lowe used FDR (model-checker for CSP) • Mitchell, et al used Murphi • Clarke, et al used SMV • Denker, et al used Maude • Can only search a finite state space
Inductive Proofs • Approach: like proofs of program correctness • Induction to prove secrecy invariant • General-purpose specification/verification system support • Kemmerer, using Ina Jo and ITP (1989) (the first) • Paulson, using Isabelle (1997) (the new wave) • Dutertre and Schneider, using PVS (1997) • Bolignano, using Coq (1997) • Can also be done manually • Schneider, in CSP; Guttman, et al, in strand spaces • Contributed to better understanding of invariants • Much more complex than belief logic proofs • Full guarantee of correctness (with respect to model) • Proofs include confidentiality • No finiteness limits
Undecidable in General • Reduction of Post correspondence problem • Word pairs ui, vi for i = 1, …, n • Does there exist ui1...uik = vi1...vik? • No general algorithm to decide • Protocol: • Compromises secret if • solution exists • Attacker can feed output of one • instance to input of another • Attacker cannot read or forge messages • because of encryption • Messages are unbounded Initial party send {, }K The ith party receive {X,Y}K if X = Y , send secret else send {Xui,Yvi}K
A Decidable-Security Version: Ping Pong Protocols (Dolev-Yao ‘83) • Abstract public-key encryption Ea, decryption Da per party • Reduction DaEaM = M • Protocol accumulates operators on an initial message M • Attacker intercepts messages and applies operators also Ea M Secrecy of M decidable in linear time M EaM Ea EaM EaEaM Ea EbDaEaEaM EbDa EbEaM
Bounded-Process Decidability Limit the number of legitimate process instances (Huima, 1999) Large class of protocols
Crypto Protocol Analysis Crypto Protocol Analysis Formal Models Computational Models Dolev-Yao (ideal encryption) Probabilistic poly-time Random oracle (bit leakage) Modal Logics Model Checking Inductive Proofs Finite-state Bounded-process decidable Antti Huima, 1999 Symbolic states (extended abstract) Inspired subsequent work: Amadio-Lugiez Boreale Fiore-Abadi Rusinowitch-Turuani (NP-complete) Millen-Shmatikov (constraint solver)
Constraint Solving • Parametric strand specification • Finite scenario setup • Generating constraint sets • Solve constraint set (finds attack) or prove unsolvable (secure)
Parametric Strand Specification Protocol A-role strand B-role strand A B {A,NA}pk(B) +{A,NA}pk(B) - Strand: node sequence - Node is directed message term - Role has variables in terms {NB,NA}pk(A) -{NB,NA}pk(A) {NB}pk(B) +{NB}pk(B)
ma1 a1 mb1 ma2 b1 a2 mb2 ma3 b2 a3 mb3 b3 Semibundle Scenario A-roles B-roles Tester ma1 mb1 s c1 a1 b1 - May have multiple role instances - s is the secret (skolem constant) - Strands distinguished by constant nonces - Search for bundle - Bundle instantiates variables ma2 mb2 a2 b2 ma3 mb3 a3 b3 Bundle: every received message is computable by an attacker (original “bundle” includes explicit attacker operation strands)
Constraint Set Generation Enumerate all linear node orderings consistent with strands s1 r1 Constraints r1: T0 , s1 r2: T0 , s1 , s2 r3: T0 , s1 , s2, s3 a1 b1 r2 s2 a2 b2 s3 r3 a3 b3 m: T means m can be computed from T received messages have computability constraint (T0 is set of terms known initially to attacker)
Reduction Tree Initial constraint set apply every possible reduction rule to first m:T where m is not a variable • • • • • • No rule is applicable var1 : T1 • • • varN : TN or Always satisfiable! A constraint set is solvable if it is reducible to a satisfiable set
Analysis Rule Example m : {t1,t2}, T (split) m : t1, t2, T
Synthesis Rule Example {m}k : T (enc) m : T k : T
Unification Eliminates a Constraint • Unify left side term with some term on right • Instantiate variables if necessary - part of solution m : t, T (un) -
Encryption Decomposition • *Encrypted term is marked to avoid looping m : {t}k , T (sdec) k : {t}k*, T m : t, k, T
Implementation • Prolog Program • Standard Edinburgh Prolog • (can use public domain SWI or XSB) • Short - three pages • Fast - 50,000 interleavings/minute normally • Easy protocol specification
NSPK for Prolog Solver strand(roleA,A,B,Na,Nb,[ recv([A,B]), send([A,Na]*pk(B)), recv([Na,Nb]*pk(A)), send(Nb*pk(B)) ]). strand(roleB,A,B,Na,Nb,[ recv([A,Na]*pk(B)), send([Na,Nb]*pk(A)), recv(Nb*pk(B)) ]). strand(test,S,[recv(S)]). A B: {A, Na}pk(B) B A: {Na, Nb}pk(A) A B: {Nb}pk(B) • Capital letters are variables • Originated variables must be nonces • Principals are not originated (Originated: appearing first in a send)
Scenario Semibundle and Query • nspk0([Sa,Sb,St]) :- • strand(roleA,_A,_B,na,_Nb,Sa), • strand(roleB,a,b,_Na,nb,Sb), • strand(test,nb,St). • :- nspk0(B),search(B,[]). • The secret and the principals sharing it are instantiated • Other nonces are instantiated in originator strand • Authentication test is also possible
Search Result • ?- nspk0(B),search(B,[ ]). • Starting csolve... • Try 1 Try 2 Try 3 Try 4 • Simple constraints: • Trace: • recv([a, e]) • send([a, na]*pk(e)) • recv([a, na]*pk(b)) • send([na, nb]*pk(a)) • recv([na, nb]*pk(a)) • send(nb*pk(e)) • recv(nb*pk(b)) • recv(nb) e is the attacker a e: {a, na}pk(e) ? a: {na, nb}pk(a) a e: {nb}pk(e) ? ?: nb ? b: {a, na}pk(b) b a: {na, nb}pk(a) ? b: {nb}pk(b)
Other Resources • Information on CAPSL web site: • http://www.csl.sri.com/~millen/capsl • ACM CCS-8 paper, "Bounded-process cryptographic protocol analysis" • Prolog constraint solver program and NSL example • Bibliography